Email scammers were the target of official Virginia State law for the first time in U.S. history earlier this year. In response to email phishing scams that appeared to give potential access to personal taxpayer information, the Virginia legislature enacted an amendment to the state’s data breach notification law. On March 13, 2017, Governor Terry McAuliffe sealed the amendment requiring “employers and payroll service providers to notify the Virginia Office of the Attorney General of unauthorized access to employees’ W-2 information”. The amendment goes into effect as of July 1, 2017.
What is the Law?
Virginia’s Data Breach Law was put into place to prevent unauthorized access and use of personal information. It’s longevity, coupled with the changing times, required this recent update. To understand the law, one must understand the definition of a breach. In general, a breach as defined by the state of Virginia is any “…unauthorized access and acquisition of computerized data that compromises the security or confidentiality of personal information and that has or may cause identity theft or other fraud”. This excludes data obtainable from public sources and from federal, state, or local government records.
What is Private Data?
Personal information held by employers and included in the law consists of social security numbers, driver’s license numbers or state identification card numbers, and financial account, credit and debit card numbers. Employees have the right to acquire this information, and as a result, it can be used in an attempt at identity theft by cyber attackers.
What Constitutes a Cyber Attack?
Phishing scams are a type of cyber attack generated in an email message that contains a link leading the user to a malicious website or harmful download. They target a large number of recipients at once, usually using computer-generated bots. Often they are easily dismissed with a subject line resembling spam, but when users believe it is from a reliable source, problems begin.
For example, the body of the message could resemble a legitimate bank or credit card company, enticing the user to pay a bill or update their account information. Once the link is clicked, the malware loads…and criminals on the other end start to download. When successful, these attackers have access to personal data, including social security numbers, bank account information, credit card numbers, medical records, educational records, and mailing addresses.
How are Businesses Impacted?
The increasing rate of internet crimes has helped companies become more vigilant about cybersecurity and ways of protecting their systems and employees, but what happens when an attack does occur? Virginia responded with the notification guideline in the amended law. It specifically addresses phishing activity; a cybercrime that runs rampant, happens quickly, and typically occurs without warning.
As soon as a company falls victim to a phishing scam, an employer is faced with the loss of valuable time and expenses that could be put to use growing his or her business. It also hits a company’s reputation when the scam makes the media. In the third quarter of 2016, there were at least 340 brands per month impacted by attacks, according to the Anti-Phishing Working Group. Consumers taken in by a scam that comes in the form of an email, and appears to be from one of their favorite brands, may end up refusing to spend their dollars with the company and turn to a competitor. Big lawsuits by victims can cost a company’s bottom line.
What can Businesses Do to Protect Employees?
What does this mean for employers? With more sophisticated email scams on the rise, there are a number of safeguards employers can put into place to protect employees’ personal information.
- Limit access of data only to employees who need it. For example, if a company is set up on a network, not all employees are likely going to need access to all departments. The payroll and accounting staff, in particular, should have encrypted access to help lessen the chance of a phishing attack.
- Business owners must keep in mind that their employees could be tempted to steal personal information for their own gain. Everyday technology like smart phones, email, and instant messaging makes it easy for anyone to be a data thief.
- Employers can start by implementing policies and procedures. The Acceptable Use Policy sets boundaries on the use of company information, computers, and copyright material. The second policy to consider is the Data Classification and Retention Policy, which determines the type of information a company holds and for how long it is kept in the system. The IT department should be required to set safeguards and guidelines for proper use of employee computers for additional security. Limitations can be set on materials accessible for downloading and software to be installed.
- Keep employees aware of what to look for in phishing attempts. Well-trained employees will be able to take precautions as a regular part of the job and will be able to recognize when something looks “phishy” and if any communication is not from a legitimate source.
- When outsourcing jobs, always go with a trusted contractor or firm. Background checks and clearly outlined contracts are essential. They can save business owners unnecessary expenses if a vendor or his or her staff has misused confidential data. Appoint only one person to be responsible for all privacy aspects of the information and limit that data to the specifics of the job as defined in the contract. Ensure any requests for information be directed to your company. Finally, once the contract has expired, permanently discard any transfer of information.
Plan Ahead to Reduce the Risk of an Attack
Developing a plan to mitigate a phishing attack takes some forethought but in the event of a security breach, can save time, money, and stress. One wrong click of the mouse can cause malware to take over an entire system quickly, but an efficient response plan, just like in any emergency, can be a lifesaver.